Keeping Data Secure While Traveling
April 30, 2008
Summer is approaching, and many people will be setting off on travel
adventures. These days, using the internet has become ubiquitous, and
going without it while traveling has become
inconceivable. Unfortunately, sometimes the only option for getting
online is to use an internet cafe, despite the well-known risks.
How can you use an internet cafe safely? A recent thread
on Slashdot discussed this question. The range of suggestions in the
thread is impressive. Many people suggested improved authentication
methods, while others said that cybercafes should never be used
for confidential data.
A few interesting themes emerged from the discussion:
- Avoid cybercafes whenever possible. Many machines in cafes
are infested with keyloggers—software that records every
keystroke typed on the machine and then sends it off to the attacker's
site, giving the attacker the ability to see your passwords. However,
keylogging is only one of the attacks you need to worry about. It's
better just to avoid the problem, especially if the information you're
processing is critical. Using your own machine on a wireless network
is a much better option.
- Don't rely on mouse-based keyboards. To protect
against keyloggers, many financial institutions have begun using
software keyboards where users must select letters on a graphic
picture of a keyboard. Some of us may be tempted to use cybercafes for
banking, thinking that their data is protected by these "soft"
keyboards. However, smart keyloggers these days capture mouse clicks
as well as keyboard clicks, meaning that attackers can piece together
your password by knowing the size and position of the virtual keyboard
and the sequence of clicks you made.
- Use one-time passwords. The best defense against
keyloggers is to use one-time passwords. These are just what the name
implies: passwords that you only use once. One common technique is to
print out a hundred or so passwords before setting off on your trip to
Salalah and cross off each password as you use it. Because you use
each password only once, it doesn't matter if an attacker learns what
each password is—it will never be used again. If you control your
infrastructure, using a one-time password system like S/Key or SecurID
may be the best option. If you don't control your infrastructure,
though, using these systems may be impossible because they are not
widely deployed at this time.
